GS Advisory Board: Data security on the mind - Part II
ver the past two years, the media have been abuzz with news about financial data security leaks, identity fraud and the like. We'd like to better understand the implications for the acquiring community, especially ISOs and merchant level salespeople (MLSs).
Perception (including the public's) plays a crucial role in our industry's reaction to recent events. With this in mind, and understanding that members of The Green Sheet Advisory Board represent different constituencies within the industry, we asked them the following questions:
- How secure do you perceive your transaction processor to be vis-à-vis the industry as a whole?
- Do you believe our industry takes threats of data security breaches seriously?
- How do you perceive your organization's liability with respect to such breaches?
- Do you provide in-house training on data security for your sales staff and/or merchants?
- Do you think your merchants are engaged in necessary diligence with respect to the treatment of their customers' transaction data?
- Do you believe it is appropriate, or even possible, for ISOs and processors to reserve against liabilities associated with data security breaches?
- How familiar are you with the Payment Card Industry (PCI) Data Security Standard? Do you consider your organization to be PCI compliant? What about your clients?
- Should there be some underlying criteria for evaluating PCI compliance?
Because we asked a lot of questions, and responses were lengthy, we divided this article into two parts. (See "GS Advisory Board: Data security on the mind - Part I" in The Green Sheet, June 12, 2006, issue 06:06:01.) The numbers next to the reponses correspond with questions one through eight. Following is the second set of GS Advisory Board responses, in alphabetical order:
Steve Eazell, Secure Payment Systems Inc.
1. I feel confident that we as a processor are secure. I believe it is a grave concern for all involved in the acquiring industry, and I am not so confident that we can rest in the security of all processors.
2. As a rule, yes, but the proof is in the pudding, and we continue to see security breaches. I believe that most of the top organizations, including the card Associations, are trying to stop these breaches, but we still see them.
3. We are responsible.
5. No.
6. Appropriate? Yes. Possible? That would depend on the source.
Jerry M. Julien, Equity Commerce LP
1, 2. By partnering with industry processing leaders Vital [now TSYS Acquiring Solutions] and Paymentech [now Chase Paymentech Solutions], we feel our processing partners take PCI compliance and security very seriously and are extremely secure. With the events of the last year, the industry as a whole has learned security and PCI compliance are not only important and good business practices, but also if they don't comply with and maintain these standards they may even be cut off or put out of business by the card Associations.
While I think the industry is now taking security seriously, there are still many areas in which PCI compliance is not being followed. These may be minor areas, such as transmitting a full card number via e-mail, which would not lead to a full scale security incident; however, this practice is still out of compliance and not secure.
3. While the perception may be that "as a registered ISO or MSP I have no liability if my processor is the victim of a security or hacking incident," I know this is not the case. Since a third-party processor is not a card Association member and is merely sponsored into the card Associations, if an incident does occur, the sponsor bank will receive any associated fines and/or penalties related to the incident and will then look downstream to its ISO/MSP in an attempt to recoup these costs.
4. Yes, we provide our agents and merchants with best practice policies related to security, fraud, and chargebacks and retrievals. We also constantly provide them with card Association updates and industry news via a variety of formats.
5. Merchants as cardholders themselves are now beginning to take the proper diligence in maintaining secure practices. There have been many areas that are causing the merchants to not only recognize the importance of diligence (such as media coverage) but also the possibility of receiving a fine from the card Associations. Card truncation on receipts and other technology developments also have made it easier for merchants to maintain diligence. I also feel sales agents are doing a much better job explaining diligence, its importance and the impacts for not complying.
6. Many companies are now enforcing quarterly or annual fees to help defray the costs associated with making sure their merchants are maintaining secure business practices. There are other ways a company may protect itself: insuring those it partners with, structuring contractual language or taking out insurance policies.
7. I consider myself to be very familiar with the PCI security standards. Equity Commerce takes PCI compliance very seriously and works hard every day to maintain these standards as well as to keep abreast of new tools, news and threats that could impact us and our partners and merchants.
Allen Kopelman, Nationwide Payment Systems Inc.
From an MLS and small sales office's point of view, I don't think anyone has an idea or knows what the impact would be on his business if any kind of data breach happened with his merchants' using software, POS systems or Web sites.
1. We use Global Payments Inc. and [TSYS Acquiring Solutions] for the majority of our merchants. Our perception is that all is well and everything is safe.
2. I don't know who is taking data breaches seriously. Merchants don't ask about it, and this amazes me. I have not seen anything in a merchant agreement that addresses data breaches (i.e., who is responsible and is there a fine or is that just covered by the part in the agreement that says "you will abide by the rules and regulations of Visa and MasterCard"?).
3. There is nothing in our contract that specifically says we are liable for a data breach, but who knows what the Visa and MasterCard regulations and rules say about who is going to pay?
4. None of the processors we use have talked to us about data security at all.
5. The merchants who are using terminals have the least to worry about as long as they keep the detailed reports locked safely. Merchants who have access to detailed online reporting information could do damage, but the processors would know where that came from. Merchants with POS systems have no clue what the systems do with the credit card numbers after they are processed. Are the numbers saved on the systems? How are they saved?
Merchants who have POS systems have the most to worry about; they typically do more transactions than merchants with stand-alone terminals, and the information is on a computer with access to the Internet.
6. I don't know who is liable. I would think that merchants who are using computer systems need to be liable for their systems. We don't store any information like that on our systems, and I would not want to be liable for any of our merchants.
7. I don't think that merchants know anything about PCI requirements, and the ones who should care are those with POS systems. No information explaining if merchants are liable and the questions they should be asking their POS system provider has been provided to us by any banks or processors.
I have not read anything about a merchant being fined by Visa and MasterCard, although the only breach in which a merchant was concerned that I have heard about was DSW Shoe Warehouse. And an unnamed office product store had issues, but no fines were ever mentioned in connection with those incidents.
Garry O'Neil, Electronic Exchange Systems
1. Actually, it is impossible for the ISO community to know how secure their processor is since the processors don't let us in on their security processes. We can only hope that they use full-time, aggressive methods to protect the data that they hold. Assuming that they have more to lose than we do, we can only think that the downside costs are so great that they are diligent.
2. Yes, I think that all the bad press and losses have completely awakened this usually head-in-the-sand industry.
3. Since we don't hold cardholder information, then we don't have the exposure that the processors have, but we do hold some information that can be interpreted by bad players. We hope that our firewalls and monitoring will prevent any problems.
4. Since we take liability and do risk monitoring, it is always on our collective minds, and training of our in-house people is constant. Unfortunately, our merchants don't understand the threats to them. Our bank channel, on the other hand, has the same training as our in-house employees.
5. No, and they never have been. It has always been up to us to try to protect the end user.
6. We can reserve against liabilities for anticipated problems, but the merchants will never go along with it, and there will always be an ISO that will not follow the generally accepted practices.
7. Our company is as familiar as it needs to be considering our liability. We are also as compliant as we need to be. Our merchants are the real liability threat.
8. If any of the processors, banks or card Associations could agree, then yes. In the meantime, we can only do what we can do and follow the rules.
David H. Press, Integrity Bankcard Consultants Inc.
2. My perception is that the threat wasn't being taken seriously until the hype over the CardSystems' breach. There has been a lot of confusion over how the PCI requirements apply to ISOs and the usual lack of enthusiasm to spend money on non-revenue-producing items.
As a part of our consulting services, we work with ISOs to determine the level required for ISOs, their third-party service providers and their merchants and whether they need an annual onsite security audit and quarterly network scan or an annual self-assess_ment questionnaire and a scan.
Lisa Shipley, Hypercom Corp.
7. Hypercom has been involved with PCI since the introduction of the PCI PIN entry device program. We have a security team that is responsible for ensuring our compliance with industry security requirements globally. Although PCI is not a large part of our company's compliance requirements, we anticipate it being so in the near future. Because of this, Hypercom is very proactive in all aspects of PCI.
J. David Siembieda, CrossCheck Inc.
1. As a check-approval provider, we are our own transaction processor. As such, we take our security very seriously and are constantly adding new programs and upgrades to our systems to ensure we have the tightest controls in place at all times.
2. Yes, our industry takes security threats seriously, but we need to be constantly diligent with security. Good progress is being made by those in the payments industry, but more work needs to be done at all levels.
Our merchants and customers need to know that we, as payment processors and providers, are taking this extremely seriously and are willing to make a commitment to maintain a top level of security now and in the future. Everyone in the payments industry needs to do this to maintain merchant confidence and trust.
3, 4. Data security is important for all facets and departments of our business, not just sales, and we address these issues in company training materials and ongoing training classes. We are in the process of developing a program that would provide security information and fraud prevention tips to our merchants.
5. I don't think that security is a high priority for many merchants unless they've been hit with a problem or are in a higher-risk business.
Turnover and training is an issue for many retailers, and this can impact how staff is trained in regard to securing information.
7, 8. At CrossCheck we partner with most of the top bankcard acquirers, and so we are very familiar with PCI requirements. As an industry we should work to put standards in place to monitor and measure compliance and not leave it open to interpretation.
Scott Wagner, Humboldt Merchant Services
1. In theory, they should be the most secure as they are the biggest.
4. A resounding yes. We are part of a bank, and security is paramount here. We have rules and regulations that we must adhere to, or we will lose our bank charter. We are not your typical processor or ISO.
Thanks to all GS Advisory Board members who took time to respond to our questions.
|